Why your cyber policies are failing you from the inside out

Wednesday 14 June 2017 | 08:50 AM
CET

Mike Shultz, Cybernance: Cybersecurity must now be considered an integral piece of an organization’s culture at all levels

When it comes to cybersecurity, organizations are increasingly falling victim to a critical case of retrospection. For too long, organizations have waited until a breach occurs before they evaluate their cyber policies, but by that point the irreversible (and often financially devastating) damage has already been inflicted. This cycle is perpetuated by the natural breakdown of people, policies and procedures within an organization over time, which leaves financial institutions vulnerable to breaches – both internally and on the perimeter.

The policies and procedures we live by every day, like locking or not locking our cars, are the ones that have the strongest influence on our adaptation to the needs and challenges in our environment – and that application has a similar effect in business. Policies and procedures that protect your company and its stakeholders must be supported and engaged regularly to make a long-term and successful impact.

But the act of overlooking common sense processes is a natural, inevitable part of business across all sectors. New people come into the organization, processes change, people become laxer in their day-to-day duties, and policies are no longer applied the way they were originally intended. But these are the small oversights that lend themselves to vulnerabilities in an organization’s security, justifying the need for policies to be integrated at a DNA level to ensure financial institutions are adequately protected, from the inside out.

Breaking down people, policies and procedures

Organizations have relied on their current policies for so long that it’s only natural these policies have become shopworn. It is when these internal breakdowns go unaddressed that instances like the Target breach occur. Exacerbated by outdated internal operating systems due to cyber policies that didn’t require those to be done promptly or at all, the breach led to the compromise of some 60 million Target customers’ personal data. This was an internal, procedural failure that cost the organization more than USD 300 million in damages – a loss that could have been feasibly prevented. In fact, the Department of Homeland Security estimates that 85% of cyberattacks are preventable through proactive risk mitigation.

The recent WannaCry attack is another testament to the growing need for internal defense reevaluation. By encrypting computer files on infected machines, WannaCry rendered them unusable unless the owner paid a USD 300 ransom. In total, the widespread ransomware attack affected more than 300,000 computers across the globe, paralyzing businesses, government entities and Britain’s National Health Service. The most important thing to know about why it succeeded so expansively is this: It all came about because of an effective phishing setup, one that if individuals had been properly trained, could have been made null and void. Phishing is now the #1 delivery vehicle for ransomware and has the ability to affect everyone within an organization, all the way up to the CEO – one of the keepers of an organization’s most sensitive and confidential information. With access to a CEO's email, credentials, and other communication, attackers can request information from others in the organization, initiate wire transfers, or demand actions from executives and employees that they should not take. Knowing the damaging effects an attack on the C-suite can have on the entire organization, it’s essential to recognize the importance of cyber risk mitigation at all levels.

Creating a cyber conscious culture

Cybersecurity must now be considered an integral piece of an organization’s culture at all levels, not just a function of the IT team. New regulations like those from New York’s Department of Financial Services are forcing financial organizations to proactively assess their cyber maturity to better defend against breaches like Target’s and the WannaCry ransomware, but it will take a dramatic culture shift in the way financial services view cyber risk to see notable improvements.

As the global payments industry continues to become more sophisticated, cybersecurity policies implemented within the industry must evolve along with it to remain effective. This means ensuring that everyone at your payments processing organization or financial institution – from entry level to the C-suite and board – is properly trained to monitor, assess and mitigate cyber risk in line with the latest regulations and frameworks, such as the National Institute of Standards and Technology (NIST) and International Standard Organization (ISO). The primary function of these frameworks is to help integrate essential processes that protect the greater infrastructure of your organization into your daily considerations – much the same as remembering to lock your car each night.

Maximizing security competency throughout the financial realm will not be a feat easily accomplished overnight. As with all habits, creating a cyber conscious culture will require constant diligence and practice to ensure the protection of critical data at all corners of an organization, but that process must start now – otherwise your organization will remain easy prey among those at risk.

About Mike Shultz

Mike drives strategic vision for the cyber risk governance company Cybernance. As former CEO of Infoglide Software, he led it to a successful acquisition by FICO in 2013. A serial entrepreneur, Mike was also formerly founder and CEO of QuestLink Technology. Mike is an Ernst & Young Entrepreneur of the Year Award recipient.

About Cybernance

Cybernance is a cyber risk governance platform that regulated industries, public companies, and government agencies rely on to effectively oversee and manage cyber risk. In 2017, Cybernance became the first cyber governance platform to receive SAFETY Act designation from the Department of Homeland Security, which provides customers with the highest form of liability protection in the event of a cybercriminal breach.